Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

ASA site to site tunnel with U turn config

Hello,

I have site to site VPN tunnel running between ASA 5510 (8.2) and Cisco PIX506 (remote site). I need to enable users in remote office to surf the net. I was looking into the documentaion here and enabled traffic to enter/exit the same interface on ASA (same-security-traffic permit intra-interface), however there's something still missing. I'm not sure how to troubleshoot this issue...

ASA is configured to NAT inside clients to one public IP (VPN tunnel also terminates to this interface)

ASA:

global (outside) 1 208.x.x.x                   
nat (inside) 0 access-list No-Nat-VPN    
nat (inside) 1 0.0.0.0 0.0.0.0

So when the packets to Internet arrives thru the tunnel, it needs to be sent out on the same interface and NATted (but to get tunnel to work I had to exempt intrested traffic from NAT). Is this causing a problem?

2 ACCEPTED SOLUTIONS

Accepted Solutions

Re: ASA site to site tunnel with U turn config

Hi,

The NAT rules should be like this:

global (outside) 1 208.x.x.x                   
nat (outside) 1 x.x.x.x mask -->  VPN pool

With the above, you're NATing the VPN clients when going out to the Internet.

You can still leave the NONAT ACL for the VPN traffic itself.

Federico.

Re: ASA site to site tunnel with U turn config

Correct.

You should see translations for your remote network.

i.e

sh xlate

Federico.

7 REPLIES

Re: ASA site to site tunnel with U turn config

Hi,

The NAT rules should be like this:

global (outside) 1 208.x.x.x                   
nat (outside) 1 x.x.x.x mask -->  VPN pool

With the above, you're NATing the VPN clients when going out to the Internet.

You can still leave the NONAT ACL for the VPN traffic itself.

Federico.

Community Member

Re: ASA site to site tunnel with U turn config

Hi Federico,

You are reffering to VPN clients... does the same logic pertain to site to site tunnels? Assuming that my remote site network in VPN tunnel config is 192.168.10.0/24, what commands should I issue to achive appropriate NAT config (U turn)?

Will these statements "NAT" traffic to Internet from my remote network, as you suggested?


hostname(config)# same-security-traffic permit intra-interface
hostname(config)# nat (outside) 1 192.168.10.0 255.255.255.0


If so.. will traffic to Internet go over the tunnel? I'd like to have it this way.


thanks






Re: ASA site to site tunnel with U turn config

Correct.

You should see translations for your remote network.

i.e

sh xlate

Federico.

Community Member

Re: ASA site to site tunnel with U turn config

Tested and working.Thank you.

How could I redirect the Internet traffic to web filter connected directly to inside interface of ASA? 

Re: ASA site to site tunnel with U turn config

If the URL-filtering server is a websense or SmartFilter you can use the url-redirect feature on the ASA:

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/access_filter.html

Federico.

Community Member

Re: ASA site to site tunnel with U turn config

This is 3rd party appliance connected directly to the ASA's inside int... is it possible to route internet traffic from the tunnel to go thru the web filtering appliance?

Re: ASA site to site tunnel with U turn config

Unfortunately you can't do Policy-Based Routing on the ASA (or equivalent).

To redirect URL traffic will be using the link that I sent you or using WCCP (not sure if it will work for you), take a look:

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/wccp.html

Federico.

1413
Views
0
Helpful
7
Replies
CreatePlease to create content